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Using Burp to Capture REST API Endpoints for 
WAS Scanning 


Qualys Web Application Scanning (WAS) supports REST API security testing using Burp, plus new 
support for Swagger. 


Did you know we’ve added Swagger support? 


If you have a Swagger file then we recommend that you use Swagger instead of Burp for your 
REST API security testing. Learn more on the Qualys Blog 


Get Started using Burp 


Scanning a REST service is a multi-step process which involves capturing requests using burp 
and configuring your web application to scan. We’ll help you with these steps. 


Record requests to the REST service using BURP proxy tool 


The first thing you'll need to do is enable proxy on your browser. Then, on the browser where 
you enabled proxy, make a request to the RESTful API service, as shown below. 


>| G?  10.10.35.14:8080/WebServiceRestful_Server/RequestForm,jsp 


Create Rest Request 


URL http://10.10.35.14:8080/WebServiceRestful_Server/rest/student/savetoFile 


Method PUT 


Post Data {'command":"]ping -c2 -i localhost|","content":"10.10.35.14Text"} 


Send 


Response Bad option -c2.Usage: ping [-t] [-a] [-n count] [-I size] [-f] [- TTL] [-v TOS] [r count] [-s count] [[j 
host-list] | [-k host-ist]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_nameOptions: -t Ping the 
specified host until stopped To see statistics and continue - type Control-Break; To 
stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests 
to send. -lsize Send buffer size. -f Set Don't Fragment flag in packet (IPv4-only). -i TTL 
Time To Live. -vTOS Type Of Service (IPv4-only. This setting has been deprecated and 
has no effect on the type of service field in the IP Header). -r count Record route for count hops (IPv4- 
only). -s count Timestamp for count hops (IPv4-only). -j host-list Loose source route along host-list 
(IPv4-only). -k host-list Strict source route along host-list (IPv4-only). -w timeout Timeout in 
milliseconds to wait foreach reply. -R Use routing header to test reverse route also (IPv6- 
only). Per RFC 5095 the use of this routing header has been deprecated. Some 
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Make all the required requests to the REST service. They'll be listed in the burp tool like this: 
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Select the items you want to scan. Right click and save all of the items. 
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Configure your web application to launch WAS scan 


Log in to Qualys and choose Web Application Scanning (WAS) from the module picker. 


Web Application Scanning v | 


Active Modules (12) 


PCI Compliance 
lA Achieve compliance with the PCI Data Security 
Standard (DSS). 


AssetView 
LA Asset Management, Tagging, and Search 


Cloud Agent 

[ONE Stay updated with network security by deploying 
agents on your hosts. 
Vulnerability Management 

MIUI Automated Host Security Assessment and Reporting 


Continuous Monitoring 
(E Set up monitoring and alerting of new security risks 


Threat Protection 
SSE Add threat inteligence feed to your existing 
AssetView 


Policy Compliance 
[AO Define, Audit and Document IT Security Compliance 


Security Assessment Questionnaire 
KAON Automate risk and compliance through questionnaire 
campaigns. 


Web Application Scanning 
WAS Automated Web Application Security Assessment and 
porting 


Web Application Firewall 
AUZAN Detect attacks and protect your web applications. 
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Click the Add Web Application button on your Dashboard or go to Web Applications > New > 
Web Application. Then choose your starting point. Select Blank and you'll be able to build your 
new web asset from scratch. 


Web Application Creation 


Select the starting point for your web application. 


LEZ 


Existing Asset 


Give your web application a name and enter the URL to the RESTful API service. 


Web Application Creation Turn help tips: On| Off Launchhelp % 


Step 1 of 10 Tell us about the asset you want to scan 


(1) Asset Details @  Y% | REST-Service-Courses 


Application Details 


Target Definition 
Scan Settings Web Application URL* 


http:// 


Itis your responsibility to verify that you have permission to scan all web applications that you specify as scan targets. 


Crawl Settings 


Redundant Links Custom Attributes 
Authentication Provide attribute information that will help you categorize this web application within your subscription 


Name Value 
Crawl Exclusion 
Lists | | Enter one or many lines 


Advanced Options 


Tags 


Select tags to apply to the web application Select | Create | Remove All 


Comments 


10 Review And Confirm 
(no tags selected) 


son 
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Select the crawl scope and enter explicit URIs, if required. Then click Upload Burp Log File. 


Web Application Creation Tum help tips: On| Off Launchhelp X% 


Step 2 of 10 


4 


© “pplication Details ¥ 


10 


Asset Details ©) 


Scan Settings 
Crawl Settings 
Redundant Links 
Authentication 


Crawl Exclusion 
Lists 


Tell us about the web application you want to scan 


Target Definition (*) REQUIRED FIELDS 
Web Application URL 


Crawl Scope* 
Limit at or below URL hostname Š 


Explicit URLs to Crawl / REST Paths and Parameters / SOAP WSDL Location 


Burp Log File 


You have the option to upload a Burp Log File with your scan tests. Once uploaded we will parse itto 
create requests and then crawl and test those requests 


Comments 


Review And Confirm 


(Prius) 


When the Burp log file is successfully uploaded, you'll see file details on the screen, including 
the report date, version, number of items captured and the size. We will parse the file to create 


Import a file from your computer 


Select a file from your computer. *) REQUIRED FIELDS 


Choose File 


ew 


Drop file here 


BT Continue | 


requests and then crawl the web application. 


Note that you can upload only one Burp file with a maximum size of 5MB at a time. If you 
upload a second file, the new file will replace the old file. 
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Web Application Creation Turn help fips: On |Off Launchhelp x 


Step 2 of 10 Tell us about the web application you want to scan 


1 Asset Details © ry Crawl Scope 


Limit at or below URL hostname Me 


@ ‘pplication Details y 


Explicit URLs to Crawl / REST Paths and Parameters / SOAP WSDL Location 
Scan Settings 


Crawl Settings 


Redundant Links Burp Log File 


You have the option to upload a Burp Log File with your scan tests. Once uploaded we will parse it 
Authentication to create requests and then crawl and test those requests 


Crawl Exclusion © Upload Burp Log File 
Lists 


Advanced Options 68_39_3004_get_post_put_404 Download © Remove 


Comments Report Date Burp Version # ltems Size 


10 Review And Confirm 03 Feb 201 7 1.7.15 4 Téa KB 


Click Continue and walk through the remaining steps to save your new web application. You'll 
be prompted to choose an option profile (under Scan Settings), crawl settings, authentication 
options, etc. Note - The option profile you choose must have SmartScan enabled (see below). 


Option Profile Creation Turn help fips: On| Off Launchhelp % 


Step 2 of 5 Please define how the scan will perform 


Profile Details Ma 
Document Type Æ) Ignore common binary files based on file extensions. 
Scan Parameters oS 
SmartScan Support 
Search Criteria 
When enabled we'll perform advanced scanning, using enhanced AJAX/SPA deep crawling and vulnerability testing 


3 for a number of actions per page. This option is recommended for scanning sites with advanced frameworks and 
Comments technologies 


Review And Confirm nable SmartScan Support 


You can customize the number of actions that can be tested per page. Note the higher the number you set, the longer 
the scan duration 


SmartScan Depth* 


Behavior Settings 


These settings define the threshold to be reached before stopping the scan. If you deactivate these settings, the scan 
will keep running no matter how many errors it will find 


(4) Timeout Error Threshold 100 


That’s it! Your web application is configured and ready to scan. 
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